CVE-2026-23306
- Source
- https://cve.org/CVERecord?id=CVE-2026-23306
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23306.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23306
- Downstream
- Published
- 2026-03-25T10:27:01.719Z
- Modified
- 2026-04-14T03:47:38.707407Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- scsi: pm8001: Fix use-after-free in pm8001_queue_command()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix use-after-free in pm8001queuecommand()
Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001taskexec()") refactors pm8001queuecommand(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state.
In this path, pm8001queuecommand() updates task status and calls taskdone to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sasataqcissue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free.
Since pm8001queuecommand() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23306.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7
- https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7
- https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3
- https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b
- https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4
- https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23306.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23306
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede29c47fe8946cc732b0e0d393b65b13c84bb69d0Fixedebbb852ffbc952b95ddb7e3872b67b3e74c6da47Fixed8b00427317ba7b7ec91252b034009f638d0f311bFixedc5dc39f8ae055520fd778b7fb0423f11586f15c4Fixed824a7672e3540962d5c77d4c6666254d7aa6f0b3Fixed227ff4af00abc40b95123cc27ee8079069dcd8d7Fixed38353c26db28efd984f51d426eac2396d299cca7